How SOCWarden Works
A security ingestion engine. 15 threat feeds, 7 OSINT APIs, 3 LLM providers. Real-time risk scoring. All from a single POST /v1/events call.
Concept
Think of it like your home security
Your firewall is the front door lock. SOCWarden is the motion detector, the camera system and the alarm, watching everything that happens inside.
The Perimeter (WAF, Cloudflare)
What you already have
Your WAF and firewall block known-bad traffic at the door. Rate limiting, IP blocking, bot filtering. Essential, but it only sees the perimeter.
Inside: SOCWarden
What gets through the perimeter
SOCWarden watches what happens after traffic reaches your application. Login failures from Tor nodes, impossible travel, credential spraying and privilege escalation. All detected and scored in real time.
Getting started
Up and running in 2 minutes
One SDK install. One function call. Full threat intelligence.
Create your free account
Sign up at app.socwarden.com. No credit card required. You get an API key instantly.
Install the SDK and add your API key
Works with Laravel, Node.js, Python, Go, Browser or the raw HTTP API. Each SDK auto-collects IP, user agent and request context.
# Laravel composer require soc-warden/laravel-sdk # Node.js npm install @socwarden/node # Python pip install socwarden # Go go get github.com/soc-warden/go-sdk
Place API calls at the right spots in your app
Track security-relevant events: logins, admin actions, API key changes, password resets. Use structured event types like auth.login.success.
use SOCWarden\Facades\SOCWarden;
// After a login attempt
SOCWarden::track(
event: 'auth.login.success',
actor: $user,
);
// After an admin action (fluent builder)
SOCWarden::event('admin.settings.updated')
->actor($admin)
->meta('setting', 'billing')
->send();
// After a sensitive operation
SOCWarden::track(
event: 'data.exported',
actor: $user,
resource: 'customers',
metadata: ['format' => 'csv', 'rows' => 15000],
);SOCWarden enriches what happens inside your app
Every event is asynchronously enriched with GeoIP, 15 threat feeds, 7 OSINT APIs, behavioral detection, risk scoring and MITRE ATT&CK mapping. Your app never waits.
Get alerted the moment something suspicious happens
Alerts fire via Email, Telegram, Slack, Discord, PagerDuty or webhook. Smart grouping and deduplication reduce noise. Each alert includes LLM-generated summaries explaining what happened and why.
Risk scoring
Composite score: 0-100
Every signal adds to the composite risk score. Threat level: 0-24 (low), 25-49 (medium), 50-74 (high), 75-100 (critical).
How we derive each point value
The methodology follows the same two-axis model used by NIST SP 800-30 and the OWASP Risk Rating Methodology: likelihood × impact. We split likelihood into two observable signals — confidence and rarity — giving three factors per signal. The additive, capped scoring model mirrors CVSS v3.1.
The specific point values are calibrated in-house from feed provider documentation (Spamhaus publishes false positive rates for DROP/XBL; AbuseIPDB publishes confidence thresholds) and SOC analyst heuristics — the same approach used by Splunk ES, IBM QRadar, and Microsoft Sentinel for risk-based alerting. No single paper dictates these numbers; the framework is standardised, the weights are reasoned.
How reliably does this signal indicate malicious intent, with few false positives?
NIST: Threat Event Likelihood
If this is a real attack, how serious is the potential damage?
NIST: Adverse Impact / CVSS: Impact Score
How uncommon is this in normal, legitimate user activity?
OWASP: Ease of Discovery / Intrusion Prevalence
Example: A login from a Tor exit node on a Spamhaus-listed IP with 5 failed attempts in 3 minutes scores +10 (base) + +40 (Tor) + +50 (Spamhaus) + +25 (brute force) = 125 → capped at 100 (critical). Each signal is independent — they stack, and the final score is clamped to 100.
How base scores are set
Each of the 48 tracked event types carries a pre-computed base risk score reflecting the inherent severity of that action — independent of who performed it or from where. Scores follow a 0–60 scale based on worst-case attack impact if the action is malicious. They stack additively with threat feed matches and behavioral signals to form the final 0–100 composite.
A base-0 event can still reach critical risk if it matches a Tor exit node, Spamhaus listing, or triggers impossible travel.
Server agent
One sensor is not enough
Application events cover your code. The SOCWarden agent covers your infrastructure: SSH access, file changes, process execution and Docker events. All shipping to the same API.
SSH Monitoring
Tracks all SSH login attempts, successful and failed. Detects root login, key-based vs password auth.
File Integrity
Monitors critical paths (/etc/passwd, /etc/shadow, config files) for unauthorized modifications.
Process Monitoring
Detects new processes, privilege escalation and suspicious binaries like cryptominers or reverse shells.
Docker Events
Watches container lifecycle, including starts, stops, exec commands and volume mounts. Detects container escape attempts.
Detection
What does SOCWarden actually detect?
50 detection types: 36 behavioral (auth, session, geo, ML, server, container), 9 request anomaly categories (SQLi/XSS/CMDi/SSRF/etc.), and 5 kill-chain compounds. Every alert mapped to MITRE ATT&CK — 55 unique technique IDs across 33 parent and 22 sub-techniques.
Brute Force
T1110.0015+ failed login attempts within 5 minutes by actor or IP. Catches password guessing and automated credential attacks.
Impossible Travel
T1078Logins from locations that would require >800 km/h travel speed. Haversine distance calculation between consecutive logins.
Credential Spray
T1110.003Same failure pattern across 10+ distinct actors from the same /24 subnet. Catches distributed password spraying campaigns.
Geo-Anomaly
T1078.004First login from a new country or a sanctioned country. Tracks per-actor country history over a 14-day rolling window.
Session Anomaly
T15633+ concurrent IPs on one session, or session created + role change within 5 minutes. Detects session hijacking.
Time-of-Day Baseline
T107814-day rolling baseline of per-actor login hours. Admin actions outside normal hours add +10 risk. Catches off-hours compromise.
Account Takeover Chain
T1531New-country login → email change → password change within 2 hours. Detects the full account takeover sequence as a single high-confidence kill chain.
Data Exfiltration Chain
T1567data.accessed → data.exported → data.downloaded within 1 hour. Detects staged data theft sequences even when each individual event looks low-risk.
Request Attack Patterns
T1190Real-time payload scanning for SQLi, XSS, path traversal, command injection, SSRF, LDAP injection, and open redirect. Scores each match against OWASP Top 10.
Ready to add SOCWarden to your app?
Free tier. No credit card. Full threat intelligence from day one.